VMware Cloud Community
hajarada
Contributor
Contributor
‎07-03-2018 10:25 AM

Content Library objects are not visible for users with no global permissions

Hello,

Just trying to get my head around an issue I just saw, and I dont think I am the only person who has wondered about this.

Running vCenter 6.5U2 I have created a couple of local content libraries.

Permissions on this vCenter is using LDAP group membership such as:

1. Global Permission: Administrator: GlobalAdminsLDAPGroup

2. Under Datacenters each team has their own resource pool (based on LDAP Group Membership), each user has a resource pool under their team pool and a team member is an Administrator on those pools only (when a user logs in they only see their team pool/folder and their own pool/folder under it.

The challenge here  is, users (who are only admins on their own pools and team pools) when they try and create "New VM from Library" nothing is presented to them as you can see below:

pastedImage_0.png

Global Administrators do see the content of all libraries created.

When I assign the users read-only global permissions at that point they can deploy from the content library, but that also allows them to see all the pools and the users for other teams which we dont want to do.

Any thoughts on what is the obvious I am missing here? is there a way I can set Read Only permissions on content libraries?

1 Reply
msripada
Virtuoso
Virtuoso
‎07-03-2018 11:24 AM

Content libraries are generally used across vcenters to share ISO's or library items. Individual users/admins may not be necessarily seeing these items as required and may not have permissions. Since it is a multi site level, which usually requires the vcenter global permissions

Which is already explained in the docs Hierarchical Inheritance of Permissions for Content Libraries

For example, a user has an Administrator role that is defined at a vCenter Server level. When the Administrator navigates to Content Libraries in the object navigator, he sees 0 libraries despite there are existing libraries in the vSphere inventory of that vCenter Server instance. To see the libraries, the Administrator needs a Read-Only role assigned as a global permission.

Thanks,

MS